deleting them as they come
JP in.
JP Hopefully they will actually stop on the 20th.
JP jp
JP - Original Message -
JP From: Hermann Strassner [EMAIL PROTECTED]
JP To: [EMAIL PROTECTED]
JP Sent: Monday, September 08, 2003 3:59 AM
JP Subject: RE: [Declude.Virus] SoBig more prolific now?
were
I'm tired of doing that
- Original Message -
From: Eje Gustafsson [EMAIL PROTECTED]
To: Jeff Pereira [EMAIL PROTECTED]
Sent: Monday, September 08, 2003 10:42 AM
Subject: Re[2]: [Declude.Virus] SoBig more prolific now?
If I where you and the infected machine connected directly
.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eje Gustafsson
Sent: Monday, September 08, 2003 10:43 AM
To: Jeff Pereira
Subject: Re[2]: [Declude.Virus] SoBig more prolific now?
If I where you and the infected machine connected directly to your
mailserver I
Last night I got hammered with about 3,000 sobigs in the course of
about 2 hours from one infected computer - it seems this particular
computer had almost every address from my domain on it. This morning I
got about 100 from another computer - the strange thing was that all 100
were sent to a
There ain't no cure for stupidity.
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe Declude.Virus.The archives can be
This is getting rediculous
i have more than 36% infected ratio
all sobig.f
is there anything i can do about that?
is there a utility that will go thru the log and count the numbers of
viruses per remote (or local) ip adress? so i can block the most guilty
adresses on my gateway ?
Scan Summary
is there a utility that will go thru the log and count the numbers of
viruses per remote (or local) ip adress? so i can block the most guilty
adresses on my gateway ?
You might want to go to the spool directory at a command prompt, and type:
find Received: D*.SMD file1.txt
sort
:51 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] SoBig
is there a utility that will go thru the log and count the numbers of
viruses per remote (or local) ip adress? so i can block the most guilty
adresses on my gateway ?
You might want to go to the spool directory at a command
: Saturday, August 30, 2003 1:51 AM
Subject: Re: [Declude.Virus] SoBig
is there a utility that will go thru the log and count the numbers of
viruses per remote (or local) ip adress? so i can block the most guilty
adresses on my gateway ?
You might want to go to the spool directory at a command prompt
, August 29, 2003 8:57 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] SoBig
thanks scott
i was able to select a dozen of adresses and this is making a big
difference
!SoBig senders
deny tcp host 200.93.136.5 any eq smtp
deny tcp host 81.192.2.130 any eq smtp
deny tcp host 80.11.225.195 any eq
SMTP for the changes to take effect
Marc
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dan Spangenberg
Sent: Saturday, August 30, 2003 1:51 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] SoBig
Where are you denying those IP addressesat your
You might want to go to the spool directory at a command prompt, and type:
find Received: D*.SMD file1.txt
sort file1.txt file2.txt
That would be the spool\virus directory, correct?
Good catch, you are correct. It should be the spool\virus directory.
www.eservicesforyou.com
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.Virus-
[EMAIL PROTECTED] On Behalf Of R. Scott Perry
Sent: Tuesday, August 26, 2003 1:44 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] Sobig, the next wave?
People a typically unaware
I'll buy that virus!
Greg
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of John Tolmachoff
(Lists)
Sent: Tuesday, August 26, 2003 4:57 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] Sobig, the next wave?
Ok, this calls for a white hat virus creator
]
[mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff
(Lists)
Sent: Tuesday, August 26, 2003 04:57 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] Sobig, the next wave?
Ok, this calls for a white hat virus creator.
A virus that will infect all these unpatched computers, and the only
A virus that will infect all these unpatched computers, and the only thing
it does is create a big bold red popup every 15 minutes that says Patch
your
computer, you dummy.
I can hear the tech calls now.
I have this big window calling me a dummy. what am I supposed to do?
People a typically unaware that their machine is infected - because it
continues to function perfectly.
That is very true.
We infected a computer in our virus lab with Sobig.F, and you couldn't tell
anything unusual was happening. The file didn't seem to do anything when
it was run (so the
I like that idea very much...
- Original Message -
From: John Tolmachoff (Lists) [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, August 26, 2003 1:56 PM
Subject: RE: [Declude.Virus] Sobig, the next wave?
Ok, this calls for a white hat virus creator.
A virus that will infect
Where do i send my donation to get this going LOL! let's do it.
- Original Message -
From: Andy Schmidt [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Tuesday, August 26, 2003 3:02 PM
Subject: RE: [Declude.Virus] Sobig, the next wave?
Okay, I'll donate some funds.
Best Regards
Andy
:56 PM
Subject: RE: [Declude.Virus] Sobig, the next wave?
Ok, this calls for a white hat virus creator.
A virus that will infect all these unpatched computers, and the only thing
it does is create a big bold red popup every 15 minutes that says Patch your
computer, you dummy.
John Tolmachoff MCSE
Hahaha.. I have a list of about 20+ computer IPs that we can start with..
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Webmaster Oilfield
Directory
Sent: Tuesday, August 26, 2003 9:54 PM
To: [EMAIL PROTECTED]
Subject: Re: [Declude.Virus] Sobig
That's true, also most people don't know how they have to patch their
computer, or even what all this stuff means. They are not stupid, but are
unknown. That's where we come in. Advice and help those people is our job.
But too much is too much.
So what I do is create a message with a removal/fix
--
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of John Tolmachoff
(Lists)
Sent: Tuesday, August 26, 2003 2:43 PM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] Sobig, the next wave?
I have seen
vir0819.log 437 437
vir0820.log 2,939 2,939
vir0821.log 3,937 3,937
vir0822.log 2,755 2,755
vir0823.log 275 275
vir0824.log 91 91
vir0825.log 8,525
vir0819.log 437 437
vir0820.log 2,939 2,939
vir0821.log 3,937 3,937
vir0822.log 2,755 2,755
vir0823.log 275 275
vir0824.log 91 91
vir0825.log 8,525
:[EMAIL PROTECTED] On Behalf Of John Carter
Sent: Wednesday, August 27, 2003 09:21 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] Sobig, the next wave?
Regards a major increase in Sobig, this is what happened here.
John
Log File Summary -
Log
-Original Message-
From: Jeff Maze - Hostmaster [mailto:[EMAIL PROTECTED]
Sent: 27 August 2003 14:47
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] Sobig, the next wave?
I don't think that's a dumb question 'cuz I would like to know that
too..
-Original Message-
From: [EMAIL PROTECTED
I don't think that's a dumb question 'cuz I would like to know that too..
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sharyn Schmidt
Sent: Wednesday, August 27, 2003 8:36 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] Sobig, the next wave
PROTECTED] Behalf Of Pat Hastings
Sent: Wednesday, August 27, 2003 9:36 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] Sobig, the next wave?
You can download it here http://www.csonline.net/imailstuff/viruslog.htm
There is also a batch file that does a similar thing but I can't get it
work
You can download it here http://www.csonline.net/imailstuff/viruslog.htm
It *is* my day for dumb questions, or perhaps it's a tribute to Declude
virus that I haven't had to touch the config file since the day I
installed it. After changing the loglevel to MID to use this tool, does
anything need
Subject: RE: [Declude.Virus] Sobig, the next wave?
Regards a major increase in Sobig, this is what happened here.
John
Log File Summary -
Log Name Virus Count Total Scanned
vir0801.log 2 2
vir0802.log 5 5
vir0803.log 1 1
vir0804.log 5 5
You need to restart the SMTP server to let the changes take effect
-Original Message-
From: Sharyn Schmidt [mailto:[EMAIL PROTECTED]
Sent: 27 August 2003 15:22
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] Sobig, the next wave?
You can download it here http://www.csonline.net
: Wednesday, August 27, 2003 9:22 AM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] Sobig, the next wave?
You can download it here http://www.csonline.net/imailstuff/viruslog.htm
It *is* my day for dumb questions, or perhaps it's a tribute to Declude
virus that I haven't had to touch the config
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] Sobig, the next wave?
You need to restart the SMTP server to let the changes take effect
-Original Message-
From: Sharyn Schmidt [mailto:[EMAIL PROTECTED]
Sent: 27 August 2003 15:22
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] Sobig
THIS IS AN INCREDIBLE GROUP !
DECLUDE IS AN INCREDIBLE PRODUCT !!!
KUDUS to you Scott.
Grateful THANKS to all the members who contributed yesterday !
I usually delete about 2500-3000 files from the virus folder every
morning.
The load in the last 24 hours was a few over 20,000.
The
]
Subject: [Declude.Virus] Sobig- The Morning After
THIS IS AN INCREDIBLE GROUP !
DECLUDE IS AN INCREDIBLE PRODUCT !!!
KUDUS to you Scott.
Grateful THANKS to all the members who contributed yesterday !
I usually delete about 2500-3000 files from the virus folder every morning.
The load
tcp any any eq 8998 log
- Original Message -
From: Jeff Maze - Hostmaster [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Saturday, August 23, 2003 4:01 PM
Subject: RE: [Declude.Virus] Sobig- The Morning After
Wow.. That's great..
What port was the machine trying to use? And what IP
At 11:45 AM 8/23/2003 -0500, you wrote:
THIS IS AN INCREDIBLE GROUP !
DECLUDE IS AN INCREDIBLE PRODUCT !!!
KUDUS to you Scott.
Grateful THANKS to all the members who contributed yesterday !
Agreed! My users were protected even before receiving the updated DAT's due
to banning the
No only that - but what's this web address that will be updated.
If it's an IP - then it should be easy to contact the upstream provider.
If it's a FQDN - then it should be easy for the registrar to lock this
particular domain against updates
I don't see why this is supposedly so difficult to
According to this NBC news report, it will occur every Friday and Sunday.
http://www.nbc4.tv/technology/2426381/detail.html?treets=latml=la_natlbreak
ts=Ttmi=la_natlbreak_15913_01270008222003
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
See http://isc.sans.org/diary.html?date=2003-08-22
Sobig Update Cycle
SoBig-F, the most recent incarnation in the family of Sobig mass mailing
viruses, will be entering its update cycle today at 19:00 UTC. Between 19:00
and 22:00 UTC, the virus will attempt to contact a predefined set of hosts
PROTECTED] On Behalf Of Mark Smith
Sent: Friday, August 22, 2003 01:23 PM
To: [EMAIL PROTECTED]
Subject: RE: [Declude.Virus] Sobig- Phase II bombardment
The worm connects to one of these 20 servers and authenticates itself with
a secret 8-byte code. The servers respond with a web address. Infected
http://www.washingtonpost.com/wp-dyn/articles/A32161-2003Aug22.html
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type unsubscribe
PROTECTED]
Sent: Friday, August 22, 2003 10:33 AM
Subject: RE: [Declude.Virus] Sobig- Phase II bombardment
It would seem to me that someone's decoded this encrypted list and if we
knew what it was we could setup access lists to block connections to the
20 machines.
Ask, and you shall receive
It make's me really wonder how many stupid people is not able to patch
the own system (or at least outlook).
Exactly!
they can't do more. (except write a worm that install automatically all
available patches from MS)
What they (M$) really need to do, is make windows update integrated into
What they (M$) really need to do, is make windows update
integrated into Windows, the problem is they tell you Stay
current with updates in a little box above the taskbar when
There are huge debates about this. It's amazing that people are against
this.
Look at the newsgroups, etc...
If it was easy, and if every computer user was computer literate and
responsible, we wouldn't have jobs...
Andy
- Original Message -
From: Markus Gufler [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, August 22, 2003 3:17 PM
Subject: RE: [Declude.Virus] Sobig- Phase II bombardment
Any one seeing hearing of any happenings on this?
John Tolmachoff MCSE CSSA
Engineer/Consultant
eServices For You
www.eservicesforyou.com
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
Any one seeing hearing of any happenings on this?
F-Secure has reported that 1 of the 20 servers appears to be up, but it is
so overwhelmed that viruses aren't getting anything from it. But that does
mean that some could be getting through.
All we've seen is what seems to be a precautionary
Title: Message
Hi;
Interesting...
"... Sobig is
unusual in that it has the ability to go onto the Internet from its host PC and
update itself with new capabilities, Huger said.
Those capabilities could include tools for
denial-of-service attacks or relaying spam. "It's entirely up to the
] On Behalf Of Andy Schmidt
Sent: Tuesday, August 19, 2003 11:11 PM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] Sobig - Easy to Detect?
Hi,
Is it just me, or is Sobig.F always adding the fake header:
X-MailScanner: Found to be clean
Best Regards
Andy Schmidt
Phone: +1 201 934-3414 x20
FYI: Mcafee's Extra Dat is not catching all instances of this virus...
However, it is still being dropped by the banned pif extension.
Darrell
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This E-mail came from the Declude.Virus mailing list. To
PROTECTED] On Behalf Of Darrell LaRock
Sent: Tuesday, August 19, 2003 12:23 PM
To: [EMAIL PROTECTED]
Subject: [Declude.Virus] SoBig F
FYI: Mcafee's Extra Dat is not catching all instances of this virus...
However, it is still being dropped by the banned pif extension.
Darrell
---
[This E-mail
FYI: Mcafee's Extra Dat is not catching all instances of this virus...
However, it is still being dropped by the banned pif extension.
Wow! I've noted over 200 hits of this virus today so far. sheesh.
Paul - Glad I have Fprot checking for updates every 2 hours to be safe.
---
[This
Hi,
Is it just me, or is Sobig.F always adding the fake header:
X-MailScanner: Found to be clean
Best Regards
Andy Schmidt
Phone: +1 201 934-3414 x20 (Business)
Fax:+1 201 934-9206
---
[This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
---
This
As far as I can tell yes.
Best regards,
Eje Gustafsson mailto:[EMAIL PROTECTED]
The Family Entertainment Network http://www.fament.com
Phone : 620-231- Fax : 620-231-4066
- Your Full Time Professionals -
Mikrotik OEM dealer - Online
56 matches
Mail list logo